System and method of containing computer worms

ABSTRACT

A computer worm containment system comprises a detection system and a blocking system. The detection system orchestrates a sequence of network activities in a decoy computer network and monitors that network to identify anomalous behavior and determine whether the anomalous behavior is caused by a computer worm. The detection system can then determine an identifier of the computer worm based on the anomalous behavior. The detection system can also generate a recovery script for disabling the computer worm or repairing damage caused by the computer worm. The blocking system is configured to use the computer worm identifier to protect another computer network. The blocking system can also use the recovery script to disable a computer worm within the other network and to repair damage caused to the network by the worm.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. provision patent applicationNo. 60/579,953, filed Jun. 14, 2004 and entitled “System and Method ofDetecting Computer Worms,” which is incorporated by reference herein.This application is related to U.S. patent application Ser. No.11/096,287, filed Mar. 31, 2005 and entitled “System and Method ofDetecting Computer Worms,” and U.S. patent application Ser. No.11/152,286, filed on even date herewith and entitled “Computer WormDefense System and Method.”

BACKGROUND

1. Field of the Invention

The present invention relates generally to computing systems, and moreparticularly to systems and methods of detecting and blocking computerworms in computer networks.

2. Background Art

Detecting and distinguishing computer worms from ordinary communicationstraffic within a computer network is a challenging problem. Moreover,modern computer worms operate at an ever increasing level ofsophistication and complexity. Consequently, it has become increasinglydifficult to detect computer worms.

A computer worm can propagate through a computer network by using activepropagation techniques. One such active propagation technique is toselect target systems to infect by scanning network address space (e.g.,a scan-directed computer worm). Another active propagation technique isto use topological information from an infected system to activelypropagate the computer worm in the system (e.g., a topologicallydirected computer worm). Still another active propagation technique isto select target systems to infect based on some combination ofpreviously generated lists of target systems (e.g., a hit-list directedcomputer worm).

In addition to the active propagation techniques, a computer worm maypropagate through a computer network by using passive propagationtechniques. One passive propagation technique is for the worm to attachitself to a normal network communication not initiated by the computerworm itself (e.g., a stealthy or passive contagion computer worm). Thecomputer worm then propagates through the computer network in thecontext of normal communication patterns not directed by the computerworm.

It is anticipated that next-generation computer worms will have multipletransport vectors, use multiple target selection techniques, have nopreviously known signatures, and will target previously unknownvulnerabilities. It is also anticipated that next generation computerworms will use a combination of active and passive propagationtechniques and may emit chaff traffic (i.e., spurious traffic generatedby the computer worm) to cloak the communication traffic that carriesthe actual exploit sequences of the computer worms. This chaff trafficwill be emitted in order to confuse computer worm detection systems andto potentially trigger a broad denial-of-service by an automatedresponse system.

Approaches for detecting computer worms in a computer system includemisuse detection and anomaly detection. In misuse detection, knownattack patterns of computer worms are used to detect the presence of thecomputer worm. Misuse detection works reliably for known attack patternsbut is not particularly useful for detecting novel attacks. In contrastto misuse detection, anomaly detection has the ability to detect novelattacks. In anomaly detection, a baseline of normal behavior in acomputer network is created so that deviations from this behavior can beflagged as anomalous. The difficulty inherent in this approach is thatuniversal definitions of normal behavior are difficult to obtain. Giventhis limitation, anomaly detection approaches strive to minimize falsepositive rates of computer worm detection.

In one suggested computer worm containment system, detection devices aredeployed in a computer network to monitor outbound network traffic anddetect active scan directed computer worms within the computer network.To achieve effective containment of these active computer worms, asmeasured by the total infection rate over the entire population ofsystems, the detection devices are widely deployed in the computernetwork in an attempt to detect computer worm traffic close to a sourceof the computer worm traffic. Once detected, these computer worms arecontained by using an address blacklisting technique. This computer wormcontainment system, however, does not have a mechanism for repair andrecovery of infected computer networks.

In another suggested computer worm containment system, the protocols(e.g., network protocols) of network packets are checked for standardscompliance under an assumption that a computer worm will violate theprotocol standards (e.g., exploit the protocol standards) in order tosuccessfully infect a computer network. While this approach may besuccessful in some circumstances, this approach is limited in othercircumstances. Firstly, it is possible for a network packet to be fullycompatible with published protocol standard specifications and stilltrigger a buffer overflow type of software error due to the presence ofa software bug. Secondly, not all protocols of interest can be checkedfor standards compliance because proprietary or undocumented protocolsmay be used in a computer network. Moreover, evolutions of existingprotocols and the introduction of new protocols may lead to high falsepositive rates of computer worm detection when “good” behavior cannot beproperly and completely distinguished from “bad” behavior. Encryptedcommunications channels further complicate protocol checking becauseprotocol compliance cannot be easily validated at the network level forencrypted traffic.

In another approach to computer worm containment, “honey farms” havebeen proposed. A honey farm includes “honeypots” that are sensitive toprobe attempts in a computer network. One problem with this approach isthat probe attempts do not necessarily indicate the presence of acomputer worm because there may be legitimate reasons for probing acomputer network. For example, a computer network can be legitimatelyprobed by scanning an Internet Protocol (IP) address range to identifypoorly configured or rogue devices in the computer network. Anotherproblem with this approach is that a conventional honey farm does notdetect passive computer worms and does not extract signatures ortransport vectors in the face of chaff emitting computer worms.

Another approach to computer worm containment assumes that computer wormprobes are identifiable at a given worm sensor in a computer networkbecause the computer worm probes will target well known vulnerabilitiesand thus have well known signatures which can be detected using asignature-based intrusion detection system. Although this approach maywork for well known computer worms that periodically recur, such as theCodeRed computer worm, this approach does not work for novel computerworm attacks exploiting a zero-day vulnerability (e.g., a vulnerabilitythat is not widely known).

One suggested computer worm containment system attempts to detectcomputer worms by observing communication patterns between computersystems in a computer network. In this system, connection historiesbetween computer systems are analyzed to discover patterns that mayrepresent a propagation trail of the computer worm. In addition to falsepositive related problems, the computer worm containment system does notdistinguish between the actual transport vector of a computer worm and atransport vector including a spuriously emitted chaff trail. As aresult, simply examining malicious traffic to determine the transportvector can lead to a broad denial of service (DOS) attack on thecomputer network. Further, the computer worm containment system does notdetermine a signature of the computer worm that can be used to implementcontent filtering of the computer worm. In addition, the computer wormcontainment system does not have the ability to detect stealthy passivecomputer worms, which by their very nature cause no anomalouscommunication patterns.

In light of the above, there exists a need for an effective system andmethod of containing computer worms.

SUMMARY OF THE INVENTION

A computer worm containment system addresses the need for detecting andcontaining computer worms in real time by integrating detection withcontainment in a single system. An exemplary computer worm containmentsystem, according to some embodiments of the invention, comprises acomputer worm detection system and a computer worm blocking system. Inthese embodiments the computer worm detection system includes a hiddencomputer network that is representative of a communication network beingprotected by the computer worm blocking system. The computer wormdetection system also includes a controller configured to monitor thehidden computer network and to determine an identifier of a computerworm based on anomalous behavior caused within the hidden computernetwork by the computer worm. The computer worm blocking system isconfigured to receive the identifier and then use the identifier toblock the computer worm from propagating within a communication network.

In some embodiments the hidden network is infected by computer worms togenerate the anomalous behavior. In other embodiments certain sequencesof network communications that are observed in the communicationnetwork, and that are deemed to be characteristic of computer worms, arereproduced in the hidden network to generate the anomalous behavior. Infurther embodiments both mechanisms are employed. Regardless of themechanism used to produce the anomalous behavior, these containmentsystems are designed to identify computer worms within a communicationnetwork and then block the computer worms from further propagatingwithin the communication network. Because of the rapid responsivenessafforded by these systems, the protection is deemed to be real-time.

Methods of containing computer worms are also provided herein. Anexemplary embodiment of a method according to the present inventioncomprises detecting a computer worm within a communication network,providing an identifier of the computer worm to a computer worm blockingsystem of the communication network, and blocking the computer worm frompropagating within the communication network. Here, detecting thecomputer worm is achieved by identifying a sequence of networkcommunications within the communication network that are characteristicof the computer worm, providing the sequence of network communicationsto a hidden network, and determining the identifier from anomalousbehavior in the hidden network.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts a computing environment in which a worm sensor can beimplemented, in accordance with one embodiment of the present invention.

FIG. 2 depicts a controller of a computer worm sensor, in accordancewith one embodiment of the present invention.

FIG. 3 depicts a computer worm detection system, in accordance with oneembodiment of the present invention.

FIG. 4 depicts a flow chart for a method of detecting computer worms, inaccordance with one embodiment of the present invention.

FIG. 5 depicts a computer worm containment system, in accordance withone embodiment of the present invention.

DETAILED DESCRIPTION

A computer worm containment system in accordance with one embodiment ofthe present invention detects and blocks computer worms. Detection canbe accomplished through the use of a computer worm detection system thatemploys a decoy computer network having orchestrated network activities.The computer worm detection system is configured to permit computerworms to infect the decoy computer network. Alternately, rather thaninfect the decoy network, communications that are characteristic of acomputer worm can be filtered from communication traffic and replayed inthe decoy network. Detection is then based on the monitored behavior ofthe decoy computer network. Once a computer worm has been detected, anidentifier of the computer worm is determined and provided to a computerworm blocking system that is configured to protect one or more computersystems of a real computer network. In some embodiments, the computerworm detection system can generate a recovery script to disable thecomputer worm and repair damage caused to the one or more computersystems, and in some instances, the computer worm blocking systeminitiates the repair and recovery of the infected systems.

FIG. 1 depicts an exemplary computing environment 100 in which acomputer worm sensor 105 is implemented, in accordance with oneembodiment of the present invention. In various embodiments, thecomputer worm sensor 105 functions as a computer worm detection system,as is described more fully herein. The computer worm sensor 105 includesa controller 115, a computer network 110 (e.g., a hidden or decoynetwork), and a gateway 125 (e.g., a wormhole system). The computernetwork 110 includes one or more computing systems 120 (e.g., hiddensystems) in communication with each other. The controller 115 and thegateway 125 are in communication with the computer network 110 and thecomputing systems 120. Additionally, the gateway 125 is in communicationwith a communication network 130 (e.g., a production network). Thecommunication network 130 can be a public computer network such as theInternet, or a private computer network, such as a wirelesstelecommunication network.

Optionally, the computer worm sensor 105 may include one or more trafficanalysis devices 135 in communication with the communication network130. A traffic analysis device 135 analyzes network traffic in thecommunication network 130 to identify network communicationscharacteristic of a computer worm. The traffic analysis device 135 canthen selectively duplicate the identified network communications andprovide the duplicated network communications to the controller 115. Thecontroller 115 replays the duplicated network communications in thecomputer network 110 to determine whether the network communicationsinclude a computer worm.

The computing systems 120 are computing devices typically found in acomputer network. For example, the computing systems 120 can includecomputing clients or servers. As a further example, the computingsystems 120 can include gateways and subnets in the computer network110. Each of the computing systems 120 and the gateway 125 can havedifferent hardware or software profiles.

The gateway 125 allows computer worms to pass from the communicationnetwork 130 to the computer network 110. The computer worm sensor 105can include multiple gateways 125 in communication with multiplecommunication networks 130. These communication networks 130 may also bein communication with each other. For example, the communication network130 can be part of the Internet or in communication with the Internet.In one embodiment, each of the gateways 125 can be in communication withmultiple communication networks 130.

The controller 115 controls the operation of the computing systems 120and the gateway 125 to orchestrate network activities in the computerworm sensor 105. In one embodiment, the orchestrated network activitiesare a predetermined sequence of network activities in the computernetwork 110, which represents an orchestrated behavior of the computernetwork 110. In this embodiment, the controller 115 monitors thecomputer network 110 to determine a monitored behavior of the computernetwork 110 in response to the orchestrated network activities. Thecontroller 115 then compares the monitored behavior of the computernetwork 110, with a predetermined orchestrated behavior to identify ananomalous behavior.

Anomalous behavior may include a communication anomaly, like anunexpected network communication, or an execution anomaly, for example,an unexpected execution of computer program code. If the controller 115identifies an anomalous behavior, the computer network 110 is deemed tobe infected with a computer worm. In this way, the controller 115 candetect the presence of a computer worm in the computer network 110 basedon an anomalous behavior of the computer worm in the computer network110. The controller 115 then creates an identifier (i.e., a “definition”of the anomalous behavior), which can be used for detecting the computerworm in another computer network, such as the communication network 130.

The identifier determined by the controller 115 for a computer worm inthe computer network 110 can be a signature that characterizes theanomalous behavior of the computer worm. The signature can then be usedto detect the computer worm in another computer network. In oneembodiment, the signature indicates a sequence of ports in the computernetwork 110 along with data used to exploit each of the ports forinstance, the signature can be a set of tuples {(p₁, c₁), (p₂, c₂), . .. }, where p_(n) represents a Transfer Control Protocol (TCP) or a UserDatagram Protocol (UDP) port number, and c_(n) is signature datacontained in a TCP or UDP packet used to exploit a port associated withthe port number. For example, the signature data can be 16-32 bytes ofdata in a data portion of a data packet.

The controller 115 can determine a signature of a computer worm based ona uniform resource locator (URL), and can generate the signature byusing a URL filtering device, which represents a specific case ofcontent filtering. For example, the controller 115 can identify auniform resource locator (URL) in data packets of Hyper Text TransferProtocol (HTTP) traffic and can extract a signature from the URL.Further, the controller 115 can create a regular expression for the URLand include the regular expression in the signature such that each tupleof the signature includes a destination port and the regular expression.In this way, a URL filtering device can use the signature to filter outnetwork traffic associated with the URL. The controller 115, in someembodiments, can also filter data packet traffic for a sequence oftokens and dynamically produce a signature having a regular expressionthat includes the token sequence.

Alternatively, the identifier may be a vector (e.g., a propagationvector, an attack vector, or a payload vector) that characterizes ananomalous behavior of the computer worm in the computer network 110. Forexample, the vector can be a propagation vector (i.e., a transportvector) that characterizes a sequence of paths traveled by the computerworm in the computer network 110. The propagation vector may include aset {p₁, p₂, p₃, . . . }, where p_(n) represents a port number (e.g., aTCP or UDP port number) in the computer network 110 and identifies atransport protocol (e.g., TCP or UDP) used by the computer worm toaccess the port. Further, the identifier may be a multi-vector thatcharacterizes multiple propagation vectors for the computer worm. Inthis way, the vector can characterize a computer worm that uses avariety of techniques to propagate in the computer network 110. Thesetechniques may include dynamic assignment of probe addresses to thecomputing systems 120, network address translation (NAT) of probeaddresses to the computing systems 120, obtaining topological serviceinformation from the computer network 110, or propagating throughmultiple gateways 125 of the computer worm sensor 105.

The controller 115 can be configured to orchestrate network activities(e.g., network communications or computing services) in the computernetwork 110 based on one or more orchestration patterns. In oneembodiment, the controller 115 generates a series of networkcommunications based on an orchestration pattern to exercise one or morecomputing services (e.g., Telnet, FTP, or SMTP) in the computer network110. In this embodiment, the orchestration pattern produces anorchestrated behavior (e.g., an expected behavior) of the computernetwork 110 in the absence of computer worm infection. The controller115 then monitors network activities in the computer network 110 (e.g.,the network communications and computing services accessed by thenetwork communications) to determine a monitored behavior of thecomputer network 110, and compares the monitored behavior with theorchestrated behavior. If the monitored behavior does not match theorchestrated behavior, the computer network 110 is deemed to be infectedwith a computer worm. The controller 115 then identifies an anomalousbehavior in the monitored behavior (e.g., a network activity in themonitored behavior that does not match the orchestration pattern) anddetermines an identifier for the computer worm based on the anomalousbehavior.

In another embodiment, an orchestrated pattern is associated with a typeof network communication. In this embodiment, the gateway 125 identifiesthe type of a network communication received by the gateway 125 from thecommunication network 130 before propagating the network communicationto the computer network 110. The controller 115 then selects anorchestration pattern based on the type of network communicationidentified by the gateway 125 and orchestrates network activities in thecomputer network 110 based on the selected orchestration pattern. In thecomputer network 110, the network communication accesses one or morecomputing systems 120 via one or more ports to access one or morecomputing services (e.g., network services) provided by the computingsystems 120.

For example, the network communication may access an FTP server on oneof the computing systems 120 via a well-known or registered FTP portnumber using an appropriate network protocol (e.g., TCP or UDP). In thisexample, the orchestration pattern includes the identity of thecomputing system 120, the FTP port number, and the appropriate networkprotocol for the FTP server. If the monitored behavior of the computernetwork 110 does not match the orchestrated behavior expected from theorchestration pattern, the network communication is deemed to beinfected with a computer worm. The controller 115 then determines anidentifier for the computer worm based on the monitored behavior, as isdescribed in more detail herein.

The controller 115 orchestrates network activities in the computernetwork 110 such that the detection of anomalous behavior in thecomputer network 110 is simple and highly reliable. All behavior (e.g.,network activities) of the computer network 110 that is not part of anorchestrated behavior represents an anomalous behavior. In alternativeembodiments, the monitored behavior of the computer network 110 that isnot part of the orchestrated behavior is analyzed to determine whetherany of the monitored behavior is an anomalous behavior.

In another embodiment, the controller 115 periodically orchestratesnetwork activities in the computer network 110 to access variouscomputing services (e.g., web servers or file servers) in thecommunication network 130. In this way, a computer worm that hasinfected one of these computing services may propagate from thecommunication network 130 to the computer network 110 via theorchestrated network activities. The controller 115 then orchestratesnetwork activities to access the same computing services in the computernetwork 110 and monitors a behavior of the computer network 110 inresponse to the orchestrated network activities. If the computer wormhas infected the computer network 110, the controller 115 detects thecomputer worm based on an anomalous behavior of the computer worm in themonitored behavior, as is described more fully herein.

In one embodiment, a single orchestration pattern exercises allavailable computing services in the computer network 110. In otherembodiments, each orchestration pattern exercises selected computingservices in the computer network 110, or the orchestration patterns forthe computer network 110 are dynamic (e.g., vary over time). Forexample, a user of the computer worm sensor 105 may add, delete, ormodify the orchestration patterns to change the orchestrated behavior ofthe computer network 110.

In one embodiment, the controller 115 orchestrates network activities inthe computer network 110 to prevent a computer worm in the communicationnetwork 130 from recognizing the computer network 110 as a decoy. Forexample, a computer worm may identify and avoid inactive computernetworks, as such networks may be decoy computer networks deployed fordetecting the computer worm (e.g., the computer network 110). In thisembodiment, therefore, the controller 115 orchestrates networkactivities in the computer network 110 to prevent the computer worm fromavoiding the computer network 110.

In another embodiment, the controller 115 analyzes both the packetheader and the data portion of data packets in network communications inthe computer network 110 to detect anomalous behavior in the computernetwork 110. For example, the controller 115 can compare the packetheader and the data portion of the data packets with those of datapackets propagated pursuant to an orchestration pattern to determinewhether the network communications data packets constitute anomalousbehavior in the computer network 110. Because the network communicationpropagated pursuant to the orchestration pattern is an orchestratedbehavior of the computer network 110, the controller 115 avoids falsepositive detection of anomalous behavior in the computer network 110,which can occur in anomaly detection systems operating on unconstrainedcomputer networks. In this way, the controller 115 reliably detectscomputer worms in the computer network 110 based on the anomalousbehavior.

To further illustrate what is meant by reliable detection of anomalousbehavior, for example, an orchestration pattern can be used that isexpected to cause emission of a sequence of data packets (a, b, c, d) inthe computer network 110. The controller 115 orchestrates networkactivities in the computer network 110 based on the orchestrationpattern and monitors the behavior (e.g., measures the network traffic)of the computer network 110. If the monitored behavior of the computernetwork 110 includes a sequence of data packets (a, b, c, d, e, f), thenthe extra data packets (e, f) represent an anomalous behavior (e.g.,anomalous traffic). This anomalous behavior may be caused by an activecomputer worm propagating inside the computer network 110.

As another example, if an orchestration pattern is expected to causeemission of a sequence of data packets (a, b, c, d) in the computernetwork 110, but the monitored behavior includes a sequence of datapackets (a, b′, c′, d), the modified data packets (b′, c′) represent ananomalous behavior in the computer network 110. This anomalous behaviormay be caused by a passive computer worm propagating inside the computernetwork 110.

In various further embodiments, the controller 115 generates a recoveryscript for the computer worm, as is described more fully herein. Thecontroller 115 can then execute the recovery script to disable (e.g.,destroy) the computer worm in the computer worm sensor 105 (e.g., removethe computer worm from the computing systems 120 and the gateway 125).Moreover, the controller 115 can output the recovery script for use indisabling the computer worm in other infected computer networks andsystems.

In another embodiment, the controller 115 identifies the source of acomputer worm based on a network communication containing the computerworm. For example, the controller 115 may identify an infected host(e.g., a computing system) in the communication network 130 thatgenerated the network communication containing the computer worm. Inthis example, the controller 115 transmits the recovery script via thegateway 125 to the host in the communication network 130. In turn, thehost executes the recovery script to disable the computer worm in thehost. In various further embodiments, the recovery script is alsocapable of repairing damage to the host caused by the computer worm.

The computer worm sensor 105 can export the recovery script, in someembodiments, to a bootable compact disc (CD) or floppy disk that can beloaded into infected hosts to repair the infected hosts. For example,the recovery script can include an operating system for the infectedhost and repair scripts that are invoked as part of the booting processof the operating system to repair an infected host. Alternatively, thecomputer worm sensor 105 may provide the recovery script to an infectedcomputer network (e.g., the communication network 130) so that thecomputer network 130 can direct infected hosts in the communicationnetwork 130 to reboot and load the operating system in the recoveryscript.

In another embodiment, the computer worm sensor 105 uses a per-hostdetection and recovery mechanism to recover hosts (e.g., computingsystems) in a computer network (e.g., the communication network 130).The computer worm sensor 105 generates a recovery script including adetection process for detecting the computer worm and a recovery processfor disabling the computer worm and repairing damage caused by thecomputer worm. The computer worm sensor 105 provides the recovery scriptto hosts in a computer network and each host executes the detectionprocess. If the host detects the computer worm, the host then executesthe recovery process. In this way, a computer worm that performs randomcorruptive acts on the different hosts (e.g., computing systems) in thecomputer network can be disabled in the computer network and damage tothe computer network caused by the computer worm can be repaired.

The computer worm sensor 105 can be a single integrated system, such asa network device or a network appliance, which is deployed in thecommunication network 130 (e.g., a commercial or military computernetwork). Alternatively, the computer worm sensor 105 may includeintegrated software for controlling operation of the computer wormsensor 105, such that per-host software (e.g., individual software foreach computing system 120 and gateway 125) is not required.

The computer worm sensor 105 can also be a hardware module, such as acombinational logic circuit, a sequential logic circuit, a programmablelogic device, or a computing device, among others. Alternatively, thecomputer worm sensor 105 may include one or more software modulescontaining computer program code, such as a computer program, a softwareroutine, binary code, or firmware, among others. The software code canbe contained in a permanent memory storage device such as a compact discread-only memory (CD-ROM), a hard disk, or other memory storage device.In various embodiments, the computer worm sensor 105 includes bothhardware and software modules.

In some embodiments, the computer worm sensor 105 is substantiallytransparent to the communication network 130 and does not substantiallyaffect the performance or availability of the communication network 130.For example, the software in the computer worm sensor 105 may be hiddensuch that a computer worm cannot detect the computer worm sensor 105 bychecking for the existence of files (e.g., software programs) in thecomputer worm sensor 105 or by performing a simple signature check ofthe files. In other embodiments, the software configuration of thecomputer worm sensor 105 is hidden by employing one or more well-knownpolymorphic techniques used by viruses to evade signature-baseddetection.

In another embodiment, the gateway 125 facilitates propagation ofcomputer worms from the communication network 130 to the computernetwork 110, with the controller 115 orchestrating network activities inthe computer network 110 to actively propagate the computer worms fromthe communication network 130 to the computer network 110. For example,the controller 115 can originate one or more network communicationsbetween the computer network 110 and the communication network 130. Inthis way, a passive computer worm in the communication network 130 canattach to one of the network communications and propagate along with thenetwork communication from the communication network 130 to the computernetwork 110. Once the computer worm is in the computer network 110, thecontroller 115 can detect the computer worm based on an anomalousbehavior of the computer worm, as is described in more fully herein.

In another embodiment, the gateway 125 selectively prevents normalnetwork traffic (e.g., network traffic not generated by a computer worm)from propagating from the communication network 130 to the computernetwork 110 to prevent various anomalies or perturbations in thecomputer network 110. In this way, the orchestrated behavior of thecomputer network 110 can be simplified to increase the reliability ofthe computer worm sensor 105.

For example, the gateway 125 can prevent Internet Protocol (IP) datapackets from being routed from the communication network 130 to thecomputer network 110. Alternatively, the gateway 125 can preventbroadcast and multicast network communications from being transmittedfrom the communication network 130 to the computer network 110, preventcommunications generated by remote shell applications (e.g., Telnet) inthe communication network 130 from propagating to the computer network110, or exclude various application level gateways including proxyservices that are typically present in a computer network forapplication programs in the computer network. Such application programscan include a Web browser, an FTP server and a mail server, and theproxy services can include the Hypertext Markup Language (HTML), theFile Transfer Protocol (FTP), or the Simple Mail Transfer Protocol(SMTP).

In another embodiment, the computing systems 120 and the gateway 125 arevirtual computing systems. For example, the computing systems 120 may beimplemented as virtual systems using machine virtualization technologiessuch as VMware™ sold by VMware, Inc. In another embodiment, the virtualsystems include VM software profiles and the controller 115automatically updates the VM software profiles to be representative ofthe communication network 130. The gateway 125 and the computer network110 may also be implemented as a combination of virtual and realsystems.

In another embodiment, the computer network 110 is a virtual computernetwork. The computer network 110 includes network device drivers (e.g.,special purpose network device drivers) that do not access a physicalnetwork, but instead use software message passing between the differentvirtual computing systems 120 in the computer network 110. The networkdevice drivers may log data packets of network communications in thecomputer network 110, which represent the monitored behavior of thecomputer network 110.

In various embodiments, the computer worm sensor 105 establishes asoftware environment of the computer network 110 (e.g., computerprograms in the computing systems 120) to reflect a software environmentof a selected computer network (e.g., the communication network 130).For example, the computer worm sensor 105 can select a softwareenvironment of a computer network typically attacked by computer worms(e.g., a software environment of a commercial communication network) andcan configure the computer network 110 to reflect that softwareenvironment. In a further embodiment, the computer worm sensor 105updates the software environment of the computer network 110 to reflectchanges in the software environment of the selected computer network. Inthis way, the computer worm sensor 105 can effectively detect a computerworm that targets a recently deployed software program or softwareprofile in the software environment (e.g., a widely deployed softwareprofile).

The computer worm sensor 105 can also monitor the software environmentof the selected computer network and automatically update the softwareenvironment of the computer network 110 to reflect the softwareenvironment of the selected computer network. For example, the computerworm sensor 105 can modify the software environment of the computernetwork 110 in response to receiving an update for a software program(e.g., a widely used software program) in the software environment ofthe selected computer network.

In another embodiment, the computer worm sensor 105 has a probemechanism to automatically check the version, the release number, andthe patch-level of major operating systems and application softwarecomponents installed in the communication network 130. Additionally, thecomputer worm sensor 105 has access to a central repository ofup-to-date versions of the system and application software components.In this embodiment, the computer worm sensor 105 detects a widely usedsoftware component (e.g., software program) operating in thecommunication network 130, downloads the software component from thecentral repository, and automatically deploys the software component inthe computer network 110 (e.g., installs the software component in thecomputing systems 120). The computer worm sensor 105 may coordinate withother computer worm sensors 105 to deploy the software component in thecomputer networks 110 of the computer worm sensors 105. In this way, thesoftware environment of each computer worm sensor 105 is modified tocontain the software component.

In another embodiment, the computer worm sensors 105 are automaticallyupdated from a central computing system (e.g., a computing server) byusing a push model. In this embodiment, the central computing systemobtains updated software components and sends the updated softwarecomponents to the computer worm sensors 105. Moreover, the softwareenvironments of the computer worm sensors 105 can represent widelydeployed software that computer worms are likely to target. Examples ofavailable commercial technologies that can aid in the automated updateof software and software patches in a networked environment include N1products sold by SUN Microsystems, Inc.™ and Adaptive Infrastructureproducts sold by the Hewlett Packard Company™.

The computer worm sensor 105, in some embodiments, can maintain anoriginal image of the computer network 110 (e.g., a copy of the originalfile system for each computing system 120) in a virtual machine that isisolated from both of the computer network 110 and the communicationnetwork 130 (e.g., not connected to the computer network 110 or thecommunication network 130). The computer worm sensor 105 obtains acurrent image of an infected computing system 120 (e.g., a copy of thecurrent file system of the computing system 120) and compares thecurrent image with the original image of the computer network 110 toidentify any discrepancies between these images, which represent ananomalous behavior of a computer worm in the infected computing system120.

The computer worm sensor 105 generates a recovery script based on thediscrepancies between the current image and the original image of thecomputing system 120. The recovery script can be used to disable thecomputer worm in the infected computing system 120 and repair damage tothe infected computing system 120 caused by the computer worm. Forexample, the recovery script may include computer program code foridentifying infected software programs or memory locations based on thediscrepancies, and for removing the discrepancies from the infectedsoftware programs or memory locations. The infected computing system 120can then execute the recovery script to disable (e.g., destroy) thecomputer worm and repair any damage to the infected computing system 120caused by the computer worm.

The recovery script may include computer program code for replacing thecurrent file system of the computing system 120 with the original filesystem of the computing system 120 in the original image of the computernetwork 110. Alternatively, the recovery script may include computerprogram code for replacing infected files with the correspondingoriginal files of the computing system 120 in the original image of thecomputer network 110. In still another embodiment, the computer wormsensor 105 includes a file integrity checking mechanism (e.g., atripwire) for identifying infected files in the current file system ofthe computing system 120. The recovery script can also include computerprogram code for identifying and restoring files modified by a computerworm to reactivate the computer worm during reboot of the computingsystem 120 (e.g., reactivate the computer worm after the computer wormis disabled).

In one embodiment, the computer worm sensor 105 occupies a predeterminedaddress space (e.g., an unused address space) in the communicationnetwork 130. The communication network 130 redirects those networkcommunications directed to the predetermined address space to thecomputer worm sensor 105. For example, the communication network 130 canredirect network communications to the computer worm sensor 105 by usingvarious IP layer redirection techniques. In this way, an active computerworm using a random IP address scanning technique (e.g., a scan directedcomputer worm) can randomly select an address in the predeterminedaddress space and can infect the computer worm sensor 105 based on theselected address (e.g., transmitting a network communication containingthe computer worm to the selected address).

An active computer worm can select an address in the predeterminedaddress space based on a previously generated list of target addresses(e.g., a hit-list directed computer worm) and can infect a computingsystem 120 located at the selected address. Alternatively, an activecomputer worm can identify a target computing system 120 located at theselected address in the predetermined address space based on apreviously generated list of target systems, and then infect the targetcomputing system 120 based on the selected address.

In various embodiments, the computer worm sensor 105 identifies datapackets directed to the predetermined address space and redirects thedata packets to the computer worm sensor 105 by performing networkaddress translation (NAT) on the data packets. For example, the computernetwork 110 may perform dynamic NAT on the data packets based on one ormore NAT tables to redirect data packets to one or more computingsystems 120 in the computer network 110. In the case of a hit-listdirected computer worm having a hit-list that does not have a networkaddress of a computing system 120 in the computer network 110, thecomputer network 110 can perform NAT to redirect the hit-list directedcomputer worm to one of the computing systems 120. Further, if thecomputer worm sensor 105 initiates a network communication that is notdefined by the orchestrated behavior of the computer network 110, thecomputer network 110 can dynamically redirect the data packets of thenetwork communication to a computing system 120 in the computer network110.

In another embodiment, the computer worm sensor 105 operates inconjunction with dynamic host configuration protocol (DHCP) servers inthe communication network 130 to occupy an address space in thecommunication network 130. In this embodiment, the computer worm sensor105 communicates with each DHCP server to determine which IP addressesare unassigned to a particular subnet associated with the DHCP server inthe communication network 130. The computer worm sensor 105 thendynamically responds to network communications directed to thoseunassigned IP addresses. For example, the computer worm sensor 105 candynamically generate an address resolution protocol (ARP) response to anARP request.

In another embodiment, a traffic analysis device 135 analyzescommunication traffic in the communication network 130 to identify asequence of network communications characteristic of a computer worm.The traffic analysis device 135 may use one or more well-known wormtraffic analysis techniques to identify a sequence of networkcommunications in the communication network 130 characteristic of acomputer worm. For example, the traffic analysis device 135 may identifya repeating pattern of network communications based on the destinationports of data packets in the communication network 130. The trafficanalysis device 135 duplicates one or more network communications in thesequence of network communications and provides the duplicated networkcommunications to the controller 115, which emulates the duplicatednetwork communications in the computer network 110.

The traffic analysis device 135 may identify a sequence of networkcommunications in the communication network 130 characteristic of acomputer worm by using heuristic analysis techniques (i.e., heuristics)known to those skilled in the art. For example, the traffic analysisdevice 135 may detect a number of IP address scans, or a number ofnetwork communications to an invalid IP address, occurring within apredetermined period. The traffic analysis device 135 determines whetherthe sequence of network communications is characteristic of a computerworm by comparing the number of IP address scans or the number ofnetwork communications in the sequence to a heuristics threshold (e.g.,one thousand IP address scans per second).

The traffic analysis device 135 may lower typical heuristics thresholdsof these heuristic techniques to increase the rate of computer wormdetection, which can also increase the rate of false positive computerworm detection by the traffic analysis device 135. Because the computerworm sensor 105 emulates the duplicated network communications in thecomputer network 110 to determine whether the network communicationsinclude an anomalous behavior of a computer worm, the computer wormsensor 105 may increase the rate of computer worm detection withoutincreasing the rate of false positive worm detection.

In another embodiment, the traffic analysis device 135 filters networkcommunications characteristic of a computer worm in the communicationnetwork 130 before providing duplicate network communications to thecontroller 115. For example, a host A in the communication network 130can send a network communication including an unusual data byte sequence(e.g., worm code) to a TCP/UDP port of a host B in the communicationnetwork 130. In turn, the host B can send a network communicationincluding a similar unusual data byte sequence to the same TCP/UDP portof a host C in the communication network 130. In this example, thenetwork communications from host A to host B and from host B to host Crepresent a repeating pattern of network communication. The unusual databyte sequences may be identical data byte sequences or highly correlateddata byte sequences. The traffic analysis device 135 filters therepeating pattern of network communications by using a correlationthreshold to determine whether to duplicate the network communicationand provide the duplicated network communication to the controller 115.

The traffic analysis device 135 may analyze communication traffic in thecommunication network 130 for a predetermined period. For example, thepredetermined period can be a number of seconds, minutes, hours, ordays. In this way, the traffic analysis device 135 can detect slowpropagating computer worms as well as fast propagating computer worms inthe communication network 130.

The computer worm sensor 105 may contain a computer worm (e.g., ascanning computer worm) within the computer network 110 by performingdynamic NAT on an unexpected network communication originating in thecomputer network 110 (e.g., an unexpected communication generated by acomputing system 120). For example, the computer worm sensor 105 canperform dynamic NAT on data packets of an IP address range scanoriginating in the computer network 110 to redirect the data packets toa computing system 120 in the computer network 110. In this way, thenetwork communication is contained in the computer network 110.

In another embodiment, the computer worm sensor 105 is topologicallyknit into the communication network 130 to facilitate detection of atopologically directed computer worm. The controller 115 may use variousnetwork services in the communication network 130 to topologically knitthe computer worm sensor 105 into the communication network 130. Forexample, the controller 115 may generate a gratuitous ARP responseincluding the IP address of a computing system 120 to the communicationnetwork 130 such that a host in the communication network 130 stores theIP address in an ARP cache. In this way, the controller 115 plants theIP address of the computing system 120 into the communication network130 to topologically knit the computing system 120 into thecommunication network 130.

The ARP response generated by the computer worm sensor 105 may include amedia access control (MAC) address and a corresponding IP address forone or more of the computing systems 120. A host (e.g., a computingsystem) in the communication network 130 can then store the MAC and IPaddresses in one or more local ARP caches. A topologically directedcomputer worm can then access the MAC and IP addresses in the ARP cachesand can target the computing systems 120 based on the MAC or IPaddresses.

In various embodiments, the computer worm sensor 105 can acceleratenetwork activities in the computer network 110. In this way, thecomputer worm sensor 105 can reduce the time for detecting atime-delayed computer worm (e.g., the CodeRed-II computer worm) in thecomputer network 110. Further, accelerating the network activities inthe computer network 110 may allow the computer worm sensor 105 todetect the time-delayed computer worm before the time-delayed computerworm causes damage in the communication network 130. The computer wormsensor 105 can then generate a recovery script for the computer worm andprovide the recovery script to the communication network 130 fordisabling the computer worm in the communication network 130.

The computing system 120 in the computer network can accelerate networkactivities by intercepting time-sensitive system calls (e.g.,“time-of-day” or “sleep” system calls) generated by a software programexecuting in the computing system 120 or responses to such systemscalls, and then modifying the systems calls or responses to accelerateexecution of the software program. For example, the computing system 120can modify a parameter of a “sleep” system call to reduce the executiontime of this system call or modify the time or date in a response to a“time-of-day” system call to a future time or date. Alternatively, thecomputing system 120 can identify a time consuming program loop (e.g., along, central processing unit intensive while loop) executing in thecomputing system 120 and can increase the priority of the softwareprogram containing the program loop to accelerate execution of theprogram loop.

In various embodiments, the computer worm sensor 105 includes one ormore computer programs for identifying execution anomalies in thecomputing systems 120 (e.g., anomalous behavior in the computer network110) and distinguishing a propagation vector of a computer worm fromspurious traffic (e.g. chaff traffic) generated by the computer worm. Inone embodiment, the computing systems 120 execute the computing programsto identify execution anomalies occurring in the computing network 110.The computer worm sensor 105 correlates these execution anomalies withthe monitored behavior of the computer worm to distinguish computingprocesses (e.g., network services) that the computer worm exploits forpropagation purposes from computing processes that only receive benignnetwork traffic from the computer worm. The computer worm sensor 105then determines a propagation vector of the computer worm based on thecomputing processes that the computer worm propagates for exploitativepurposes. In a further embodiment, each computing system 120 executing afunction of one of the computer programs as an intrusion detectionsystem (IDS) by generating a computer worm intrusion indicator inresponse to detecting an execution anomaly.

In one embodiment, the computer worm sensor 105 tracks system callsequences to identify an execution anomaly in the computing system 120.For example, the computer worm sensor 105 can use finite state automatatechniques to identify an execution anomaly. Additionally, the computerworm system 105 may identify an execution anomaly based on call-stackinformation for system calls executed in a computing system 120. Forexample, a call-stack execution anomaly may occur when a computer wormexecutes system calls from the stack or the heap of the computing system120. The computer worm system 105 may also identify an execution anomalybased on virtual path identifiers in the call-stack information.

The computer worm system 105 may monitor transport level ports of acomputing system 120. For example, the computer worm sensor 105 canmonitor systems calls (e.g., “bind” or “recvfrom” system calls)associated with one or more transport level ports of a computing processin the computing system 120 to identify an execution anomaly. If thecomputer worm system 105 identifies an execution anomaly for one of thetransport level ports, the computer worm sensor 105 includes thetransport level port in the identifier (e.g., a signature or a vector)of the computer worm, as is described more fully herein.

In another embodiment, the computer worm sensor 105 analyzes binary code(e.g., object code) of a computing process in the computing system 120to identify an execution anomaly. The computer worm system 105 may alsoanalyze the call stack and the execution stack of the computing system120 to identify the execution anomaly. For example, the computer wormsensor 105 may perform a static analysis on the binary code of thecomputing process to identify possible call stacks and virtual pathidentifiers for the computing process. The computer worm sensor 105 thencompares an actual call stack with the identified call stacks toidentify a call stack execution anomaly in the computing system 120. Inthis way, the computer worm sensor 105 can reduce the number of falsepositive computer worm detections and false negative computer wormdetections. Moreover, if the computer worm sensor 105 can identify allpossible call-stacks and virtual path identifiers for the computingprocess, the computer worm sensor 105 can have a zero false positiverate of computer worm detection.

In another embodiment, the computer worm sensor 105 identifies one ormore anomalous program counters in the call stack. For example, ananomalous program counter can be the program counter of a system callgenerated by worm code of a computer worm. The computer worm sensor 105tracks the anomalous program counters and determines an identifier fordetecting the computer worm based on the anomalous program counters.Additionally, the computer worm sensor 105 can determine whether amemory location (e.g., a memory address or a memory page) referenced bythe program counter is a writable memory location. The computer wormsensor 105 then determines whether the computer worm has exploited thememory location. For example, a computer worm can store worm code into amemory location by exploiting a vulnerability of the computing system120 (e.g., a buffer overflow mechanism).

The computer worm sensor 105 may take a snapshot of data in the memoryaround the memory location referenced by the anomalous program counter.The computer worm sensor 105 then searches the snapshot for data inrecent data packets received by the computing process (e.g., computingthread) associated with the anomalous program counter. The computer wormsensor 105 searches the snapshot by using a searching algorithm tocompare data in the recent data packets with a sliding window of data(e.g., 16 bytes of data) in the snapshot. If the computer worm sensor105 finds a match between the data in a recent data packet and the datain the sliding window, the matching data is deemed to be a signaturecandidate for the computer worm.

In another embodiment, the computing system 120 tracks the integrity ofcomputing code in a computing system 120 to identify an executionanomaly in the computing system 120. The computing system 120 associatesan integrity value with data stored in the computing system 120 toidentify the source of the data. If the data is from a known source(e.g., a computing program) in the computing system 120, the integrityvalue is set to one, otherwise the integrity value is set to zero. Forexample, data received by the computing system 120 in a networkcommunication is associated with an integrity value of zero. Thecomputing system 120 stores the integrity value along with the data inthe computing system 120, and monitors a program counter in thecomputing system 120 to identify an execution anomaly based on theintegrity value. A program counter having an integrity value of zeroindicates that data from a network communication is stored in theprogram counter, which represents an execution anomaly in the computingsystem 120.

The computing system 120 may use the signature extraction algorithm toidentify a decryption routine in the worm code of a polymorphic worm,such that the decryption routine is deemed to be a signature candidateof the computer worm. Additionally, the computer worm sensor 105 maycompare signature candidates identified by the computing systems 120 inthe computer worm sensor 105 to determine an identifier for detectingthe computer worm. For example, the computer worm sensor 105 canidentify common code portions in the signature candidates to determinean identifier for detecting the computer worm. In this way, the computerworm sensor 105 can determine an identifier of a polymorphic wormcontaining a mutating decryption routine (e.g., polymorphic code).

In another embodiment, the computer worm sensor 105 monitors networktraffic in the computer network 110 and compares the monitored networktraffic with typical network traffic patterns occurring in a computernetwork to identify anomalous network traffic in the computer network110. The computer worm sensor 105 determines signature candidates basedon data packets of the anomalous network traffic (e.g., extractssignature candidates from the data packets) and determines identifiersfor detecting computer worms based on the signature candidates.

In another embodiment, the computer worm sensor 105 evaluatescharacteristics of a signature candidate to determine the quality of thesignature candidate, which indicates an expected level of false positivecomputer worm detection in a computer network (e.g., the communicationnetwork 130). For example, a signature candidate having a high qualityis not contained in data packets of typical network traffic occurring inthe computer network. Characteristics of a signature candidate include aminimum length of the signature candidate (e.g., 16 bytes of data) andan unusual data byte sequence. In one embodiment, the computer wormsensor 105 performs statistical analysis on the signature candidate todetermine whether the signature candidate includes an unusual bytesequence. For example, computer worm sensor 105 can determine acorrelation between the signature candidate and data contained intypical network traffic. In this example, a low correlation (e.g., zerocorrelation) indicates a high quality signature candidate.

In another embodiment, the computer worm sensor 105 identifies executionanomalies by detecting unexpected computing processes in the computernetwork 110 (i.e., computing processes that are not part of theorchestrated behavior of the computing network 110). The operatingsystems in the computing systems 120 may be configured to detectcomputing processes that are not in a predetermined collection ofcomputing processes. In another embodiment, a computing system 120 isconfigured as a network server that permits a host in the communicationnetwork 130 to remotely execute commands on the computing system 120.For example, the original Morris computer worm exploited a debug mode ofsendmail that allowed remote command execution in a mail server.

In some cases, the intrusion detection system of the computer wormsensor 105 detects an active computer worm based on anomalous networktraffic in the computer network 110, but the computer worm sensor 105does not detect an execution anomaly caused by a computing process inthe computer network 110. In these cases, the computer worm sensor 105determines whether the computer worm has multiple possible transportvectors based on the ports being accessed by the anomalous networktraffic in the computer network 110. If the computer network 110includes a small number of ports (e.g., one or two), the computer wormsensor 105 can use these ports to determine a vector for the computerworm. Conversely, if the computer network 110 includes many ports (e.g.,three or more ports), the computer worm sensor 105 partitions thecomputing services in the computer network 110 at appropriate controlpoints to determine those ports exploited by the computer worm.

The computer worm sensor 105 may randomly block ports of the computingsystems 120 to suppress traffic to these blocked ports. Consequently, acomputer worm having a transport vector that requires one or more of theblocked ports will not be able to infect a computing system 120 in whichthose ports are blocked. The computer worm sensor 105 then correlatesthe anomalous behavior of the computer worm across the computing systems120 to determine which ports the computer worm has used for diversionarypurposes (e.g., emitting chaff) and which ports the computer worm hasused for exploitive purposes. The computer worm sensor 105 thendetermines a transport vector of the computer worm based on the portsthat the computer worm has used for exploitive purposes.

FIG. 2 depicts an exemplary embodiment of the controller 115. Thecontroller 115 includes an extraction unit 200, an orchestration engine205, a database 210, and a software configuration unit 215. Theextraction unit 200, the orchestration engine 205, the database 210, andthe software configuration unit 215 are in communication with each otherand with the computer network 110 (FIG. 1). Optionally, the controller115 includes a protocol sequence replayer 220 in communication with thecomputer network 110 and the traffic analysis device 135 (FIG. 1).

In various embodiments, the orchestration engine 205 controls the stateand operation of the computer worm sensor 105 (FIG. 1). In oneembodiment, the orchestration engine 205 configures the computingsystems 120 (FIG. 1) and the gateway 125 (FIG. 1) to operate in apredetermined manner in response to network activities occurring in thecomputer network 110, and generates network activities in the computernetwork 110 and the communication network 130 (FIG. 1). In this way, theorchestration engine 205 orchestrates network activities in the computernetwork 110. For example, the orchestration engine 205 may orchestratenetwork activities in the computer network 110 by generating anorchestration sequence (e.g., a predetermined sequence of networkactivities) among various computing systems 120 in the computer network110, including network traffic that typically occurs in thecommunication network 130.

In one embodiment, the orchestration engine 205 sends orchestrationrequests (e.g., orchestration patterns) to various orchestration agents(e.g., computing processes) in the computing systems 120. Theorchestration agent of a computing system 120 performs a periodic sweepof computing services (e.g., network services) in the computing system120 that are potential targets of a computer worm attack. The computingservices in the computing system 120 may includes typical networkservices (e.g., web service, FIP service, mail service, instantmessaging, or Kazaa) that are also in the communication network 130.

The orchestration engine 205 may generate a wide variety oforchestration sequences to exercise a variety of computing services inthe computer network 110, or may select orchestration patterns to avoidloading the communication network 110 with orchestrated network traffic.Additionally, the orchestration engine 205 may select the orchestrationpatters to vary the orchestration sequences. In this way, a computerworm is prevented from scanning the computer network 110 to predict thebehavior of the computer network 110.

In various embodiments, the software configuration unit 215 dynamicallycreates or destroys virtual machines (VMs) or VM software profiles inthe computer network 110, and may initialize or update the softwarestate of the VMs or VM software profiles. In this way, the softwareconfiguration unit 215 configures the computer network 110 such that thecontroller 115 can orchestrate network activities in the computernetwork 110 based on one or more orchestration patterns. It is to beappreciated that the software configuration unit 215 is optional invarious embodiments of the computer worm sensor 105.

In various embodiments, the extraction unit 200 determines an identifierfor detecting the computer worm. In these embodiments, the extractionunit 200 can extract a signature or a vector of the computer worm basedon network activities (e.g., an anomalous behavior) occurring in thecomputer network 110, for example from data (e.g., data packets) in anetwork communication.

The database 210 stores data for the computer worm sensor 105, which mayinclude a configuration state of the computer worm sensor 105. Forexample, the configuration state may include orchestration patterns or“golden” software images of computer programs (i.e., original softwareimages uncorrupted by a computer worm exploit). The data stored in thedatabase 210 may also includes identifiers or recovery scripts forcomputer worms, or identifiers for the sources of computer worms in thecommunication network 130. The identifier for the source of eachcomputer worm may be associated with the identifier and the recoveryscript of the computer worm.

The protocol sequence replayer 220 receives a network communication fromthe traffic analysis device 135 (FIG. 1) representing a networkcommunication in the communication network 130 and replays (i.e.,duplicates) the network communication in the computer network 110. Theprotocol sequence replayer 220 may receive the network communicationfrom the traffic analysis device 135 via a private encrypted network(e.g., a virtual private network) within the communication network 130or via another communication network. The controller 115 monitors thebehavior of the computer network 110 in response to the networkcommunication to determine a monitored behavior of the computer network110 and determine whether the monitored behavior includes an anomalousbehavior, as is described more fully herein.

In one embodiment, the protocol sequence replayer 220 includes a queue225 for storing network communications. The queue 225 receives a networkcommunication from the traffic analysis device 135 and temporarilystores the network communication until the protocol sequence replayer220 is available to replay the network communication. In anotherembodiment, the protocol sequence replayer 220 is a computing system 120in the computer network 110. For example, the protocol sequence replayer200 may be a computer server including computer program code forreplaying network communications in the computer network 110.

In another embodiment, the protocol sequence replayer 220 is incommunication with a port (e.g., connected to a network port) of anetwork device in the communication network 130 and receives duplicatednetwork communications occurring in the communication network 130 fromthe port. For example, the port can be a Switched Port Analyzer (SPAN)port of a network switch or a network router in the communicationnetwork 130, which duplicates network traffic in the communicationnetwork 130. In this way, various types of active and passive computerworms (e.g., hit-list directed, topologically-directed, server-directed,and scan-directed computer worms) may propagate from the communicationnetwork 130 to the computer network 110 via the duplicated networktraffic.

The protocol sequence replayer 220 replays the data packets in thecomputer network 110 by sending the data packets to a computing system120 having the same class (e.g., Linux or Windows platform) as theoriginal target system of the data packets. In various embodiments, theprotocol network replayer 220 synchronizes any return network trafficgenerated by the computing system 120 in response to the data packets.The protocol sequence replayer 220 may suppress (e.g., discard) thereturn network traffic such that the return network traffic is nottransmitted to a host in the communication network 130. In oneembodiment, the protocol sequence replayer 220 replays the data packetsby sending the data packets to the computing system 120 via a TCPconnection or UDP session. In this embodiment, the protocol sequencereplayer 220 synchronizes return network traffic by terminating the TCPconnection or UDP session.

The protocol sequence replayer 220 may modify destination IP addressesof data packets in the network communication to one or more IP addressesof the computing systems 120 and replay (i.e., generate) the modifieddata packets in the computer network 110. The controller 115 monitorsthe behavior of the computer network 110 in response to the modifieddata packets, and may detect an anomalous behavior in the monitoredbehavior, as is described more fully herein. If the controller 115identifies an anomalous behavior, the computer network 110 is deemed tobe infected with a computer worm and the controller 115 determines anidentifier for the computer worm, as is described more fully herein.

The protocol sequence replayer 220 may analyze data packets in asequence of network communications in the communication network 130 toidentify a session identifier. The session identifier identifies acommunication session for the sequence of network communications and candistinguish the network communications in the sequence from othernetwork communications in the communication network 130. For example,each communication session in the communication network 130 can have aunique session identifier. The protocol sequence replayer 220 mayidentify the session identifier based on the communication protocol ofthe network communications in the sequence. For instance, the sessionidentifier may be in a field of a data packet header as specified by thecommunication protocol. Alternatively, the protocol sequence replayer220 may infer the session identifier from repeating networkcommunications in the sequence. For example, the session identifier istypically one of the first fields in an application level communicationbetween a client and a server (e.g., computing system 120) and isrepeatedly used in subsequent communications between the client and theserver.

The protocol sequence replayer 220 may modify the session identifier inthe data packets of the sequence of network communications. The protocolsequence replayer 220 generates an initial network communication in thecomputer network 110 based on a selected network communication in thesequence, and the computer network 110 (e.g., a computing system 120)generates a response including a session identifier. The protocolsequence replayer 220 then substitutes the session identifier in theremaining data packets of the network communication with the sessionidentifier of the response. In a further embodiment, the protocolsequence replayer 220 dynamically modifies session variables in the datapackets, as is appropriate, to emulate the sequence of networkcommunications in the computer network 110.

The protocol sequence replayer 220 may determine the software orhardware profile of a host (e.g., a computing system) in thecommunication network 130 to which the data packets of the networkcommunication are directed. The protocol sequence replayer 220 thenselects a computing system 120 in the computer network 110 that has thesame software or hardware profile of the host and performs dynamic NATon the data packets to redirect the data packets to the selectedcomputing system 120. Alternatively, the protocol sequence replayer 220randomly selects a computing system 120 and performs dynamic NAT on thedata packets to redirect the data packets to the randomly selectedcomputing system 120.

In one embodiment, the traffic analysis device 135 can identify arequest (i.e., a network communication) from a web browser to a webserver in the communication network 130, and a response (i.e., a networkcommunication) from the web server to the web browser. In this case, theresponse may include a passive computer worm. The traffic analysisdevice 135 may inspect web traffic on a selected network link in thecommunication network 130 to identify the request and response. Forexample, the traffic analysis device 135 may select the network link oridentify the request based on a policy. The protocol sequence replayer220 orchestrates the request in the computer network 110 such that a webbrowser in a computing system 120 initiates a substantially similarrequest. In response to this request, the protocol sequence replayer 220generates a response to the web browser in the computing system 120,which is substantially similar to the response generated by the browserin the communication network 130. The controller 115 then monitors thebehavior of the web browser in the computing system 120 and may identifyan anomalous behavior in the monitored behavior. If the controller 115identifies an anomalous behavior, the computer network 110 is deemed tobe infected with a passive computer worm.

FIG. 3 depicts an exemplary computer worm detection system 300. Thecomputer worm detection system 300 includes multiple computer wormsensors 105 and a sensor manager 305. Each of the computer worm sensors130 is in communication with the sensor manager 305 and thecommunication network 130. The sensor manager 305 coordinatescommunications or operations between the computer worm sensors 105.

In one embodiment, each computer worm sensor 105 randomly blocks one ormore ports of the computing systems 120. Accordingly, some of the wormsensors 105 may detect an anomalous behavior of a computer worm, asdescribed more fully herein. The worm sensors 105 that detect ananomalous behavior communicate the anomalous behavior (e.g., a signaturecandidate) to the sensor manager 305. In turn, the sensor manager 305correlates the anomalous behaviors and determines an identifier (e.g., atransport vector) for detecting the computer worm.

In some cases, a human intruder (e.g., a computer hacker) may attempt toexploit vulnerabilities that a computer worm would exploit in a computerworm sensor 105. The sensor manager 305 may distinguish an anomalousbehavior of a human intruder from an anomalous behavior of a computerworm by tracking the number of computing systems 120 in the computerworm sensors 105 that detect a computer worm within a given period. Ifthe number of computing systems 120 detecting a computer worm within thegiven period exceeds a predetermined threshold, the sensor manager 305determines that a computer worm caused the anomalous behavior.Conversely, if the number of computing systems 120 detecting a computerworm within the given period is equal to or less than the predeterminedthreshold, the sensor manager 300 determines that a human intrudercaused the anomalous behavior. In this way, false positive detections ofthe computer worm may be decreased.

In one embodiment, each computer worm sensor 105 maintains a list ofinfected hosts (e.g., computing systems infected by a computer worm) inthe communication network 130 and communicates the list to the sensormanager 305. In this way, computer worm detection system 300 maintains alist of infected hosts detected by the computer worm sensors 105.

FIG. 4 depicts a flow chart for an exemplary method of detectingcomputer worms, in accordance with one embodiment of the presentinvention. In step 400, the computer worm sensor 105 (FIG. 1)orchestrates a sequence of network activities in the computer network110 (FIG. 1). For example, the orchestration engine 205 (FIG. 2) of thecomputer worm sensor 105 can orchestrate the sequence of networkactivity in the computer network 110 based on one or more orchestrationpatterns, as is described more fully herein.

In step 405, the controller 115 (FIG. 1) of the computer worm sensor 105monitors the behavior of the computer network 110 in response to thepredetermined sequence of network activity. For example, theorchestration engine 205 (FIG. 2) of the computer worm sensor 105 canmonitor the behavior of the computer network 110. The monitored behaviorof the computer network 110 may include one or more network activitiesin addition to the predetermined sequence of network activities ornetwork activities that differ from the predetermined sequence ofnetwork activities.

In step 410, the computer worm sensor 105 identifies an anomalousbehavior in the monitored behavior to detect a computer worm. In oneembodiment, the controller 115 identifies the anomalous behavior bycomparing the predetermined sequence of network activities with networkactivities in the monitored behavior. For example, the orchestrationengine 205 of the controller 115 can identify the anomalous behavior bycomparing network activities in the monitored behavior with one or moreorchestrated behaviors defining the predetermined sequence of networkactivities. The computer worm sensor 105 evaluates the anomalousbehavior to determine whether the anomalous behavior is caused by acomputer worm, as is described more fully herein.

In step 415, the computer worm sensor 105 determines an identifier fordetecting the computer worm based on the anomalous behavior. Theidentifier may include a signature or a vector of the computer worm, orboth. For example, the vector can be a transport vector, an attackvector, or a payload vector. In one embodiment, the extraction unit 200of the computer worm sensor 105 determines the signature of the computerworm based on one or more signature candidates, as is described morefully herein. It is to be appreciated that step 415 is optional inaccordance with various embodiments of the computer worm sensor 105.

In step 420, the computer worm sensor 105 generates a recovery scriptfor the computer worm. An infected host (e.g., an infected computingsystem or network) can then execute the recovery script to disable(e.g., destroy) the computer worm in the infected host or repair damageto the host caused by the computer worm. The computer worm sensor 105may also identify a host in the communication network 130 that is thesource of the computer worm and provides the recovery script to the hostsuch that the host can disable the computer worm and repair damage tothe host caused by the computer worm.

In one embodiment, the controller 115 determines a current image of thefile system in the computer network 120, and compares the current imagewith an original image of the file system in the computer network 120 toidentify any discrepancies between the current image and the originalimage. The controller 115 then generates the recovery script based onthese discrepancies. The recovery script includes computer program codefor identifying infected software programs or memory locations based onthe discrepancies, and removing the discrepancies from infected softwareprograms or memory locations.

FIG. 5 depicts an exemplary embodiment of a computer worm containmentsystem 500 comprising a worm sensor 105 in communication with a computerworm blocking system, shown here as a single blocking device 510, over acommunication network 130. The blocking device 510 is configured toprotect one or more computing services 520. Although the blocking device510 is shown in FIG. 5 as integrated within the computing service 520,the blocking device 510 can also be implemented as a network appliancebetween the computing service 520 and the communication network 130. Itwill be appreciated that the blocking device 510 can also be incommunication with more than one worm sensor 105 across thecommunication network 130. Further, although the communication network130 is illustrated as being distinct from the computing service 520, thecomputing service 520 can also be a component of the communicationnetwork 130.

Additionally, the computer worm blocking system can comprise multipleblocking devices 510 in communication with one or more computer wormblocking managers (not shown) across the communication network 130 inanalogous fashion to the computer worm detection system 300 of FIG. 3.The computer worm blocking managers coordinate communications andoperations between the blocking devices 510. In general, worm sensors105 and blocking devices 510 may be collocated, or they may beimplemented on separate devices, depending on the network environment.In one embodiment, communications between the worm sensors 105, thesensor manager 305, the blocking devices 510, and the computer wormblocking managers are cryptographically authenticated.

In one embodiment, the blocking device 510 loads a computer wormsignature into a content filter operating at the network level to blockthe computer worm from entering the computing service 520 from thecommunication network 130. In another embodiment, the blocking device510 blocks a computer worm transportation vector in the computingservice 520 by using transport level action control lists (ACLs) in thecomputing service 520.

More specifically, the blocking device 510 can function as a networkinterface between the communication network 130 and the correspondingcomputing service 520. For example, a blocking device 510 can be aninline signature based Intrusion Detection and Protection (IDP) system,as would be recognized by one skilled in the art. As another example,the blocking device 5.10 can be a firewall, network switch, or networkrouter that includes content filtering or ACL management capabilities.

An effective computer worm quarantine may require a proper networkarchitecture to ensure that blocking measures are effective incontaining the computer worm. For example, if there are contentfiltering devices or transport level ACL devices protecting a set ofsubnets on the computing service 520, then there should not be anotherpath from the computing service 520 on that subnet that does not passthrough the filtering device.

Assuming that the communication network 130 is correctly partitioned,the function of the blocking device 510 is to receive a computer wormidentifier, such as a signature list or transport vector, from the wormsensor 105 and configure the appropriate filtering devices. Thesefiltering devices can be commercially available switches, routers, orfirewalls obtainable from any of a number of network equipment vendors,or host-based solutions that provide similar functionality. In someembodiments, ACLs are used to perform universal blocking of thosetransport ports for the computing services 520 under protection. Forexample, traffic originating from a given source IP and intended for agiven destination IP with the destination port matching a transport portin the transport vector can be blocked.

Another class of filtering is content based filtering, in which thefiltering devices inspect the contents of the data past the TCP or UDPheader of a data packet to check for particular data sequences. Examplesof content filtering devices are routers in the class of the Cisco™routers that use Network Based Application Recognition (NBAR) toclassify and apply a policy to packets (e.g., reduce the priority of thepackets or discard the packets). These types of filtering devices can beuseful to implement content filtering at appropriate network points.

In one embodiment, host-based software is deployed on an enterprisescale to perform content filtering in the context of host-basedsoftware. In this embodiment, ACL specifications (e.g., vendorindependent ACL specifications) and content filtering formats (e.g.,extensible Markup Language or XML format) are communicated to theblocking devices 510, which in turn dynamically configure transport ACLsor content filters for network equipment and host software of differentvendors.

In the foregoing specification, the invention is described withreference to specific embodiments thereof, but those skilled in the artwill recognize that the invention is not limited thereto. Variousfeatures and aspects of the above-described invention may be usedindividually or jointly. Further, the invention can be utilized in anynumber of environments and applications beyond those described hereinwithout departing from the broader spirit and scope of thespecification. The specification and drawings are, accordingly, to beregarded as illustrative rather than restrictive. It will be recognizedthat the terms “comprising,” “including,” and “having,” as used herein,are specifically intended to be read as open-ended terms of art.

What is claimed is:
 1. A computer worm containment system incommunication with a real communication network, the system comprising:a computer worm detection system including a traffic analysis devicecoupled in communication with the real communication network andconfigured to identify and copy network traffic having characteristicsassociated with a computer worm in the real communication network, ahidden computer network configured to detect anomalies, and a controllercoupled to the hidden computer network, the controller being configuredto (a) receive the copied network traffic, (b) replay the copied networktraffic and a plurality of network activities generated within thehidden computer network in accordance with an identified pattern ofactivities, (c) monitor behavior of the hidden network in response tothe replay of the copied network traffic and the plurality of networkactivities, and (d) determine an identifier of a computer worm based onanomalous behavior caused within the hidden computer network by thecomputer worm, the identifier associated with anomalous character of thecomputer worm and the anomalous character of the computer worm beingdetermined by comparing the monitored behavior in the hidden computernetwork with behavior expected from the identified pattern ofactivities; and a computer worm blocking system configured to receivethe identifier and use the identifier to block the computer worm frompropagating within the real communication network.
 2. The computer wormcontainment system of claim 1 wherein the traffic analysis device,including hardware for coupling to the real communication network, isconfigured to duplicate a portion of the network traffic traveling overthe real communication network as the copied network traffic and providethe copied network traffic with the characteristics associated with thecomputer worm.
 3. The computer worm containment system of claim 1wherein the identified pattern of activities comprises one or morecomputing services to be performed in the hidden computer network. 4.The computer worm containment system of claim 1 wherein the anomalousbehavior includes a communication anomaly.
 5. The computer wormcontainment system of claim 1 wherein the anomalous behavior includes anexecution anomaly.
 6. The computer worm containment system of claim 1wherein the identifier includes a signature.
 7. The computer wormcontainment system of claim 6 wherein the signature includes adestination port and a sequence of tokens.
 8. The computer wormcontainment system of claim 1 wherein the identifier includes a vector.9. The computer worm containment system of claim 1 wherein thecontroller is further configured to generate a recovery script.
 10. Thecomputer worm containment system of claim 9 wherein the computer wormblocking system is further configured to use the recovery script todisable the computer worm within the real communication network.
 11. Thecomputer worm containment system of claim 9 wherein the computer wormblocking system is further configured to use the recovery script torepair damage caused by the computer worm within the real communicationnetwork.
 12. The computer worm containment system of claim 9 wherein therecovery script includes a detection process for detecting the computerworm and a recovery process for disabling the computer worm.
 13. Thecomputer worm containment system of claim 1 wherein the computer wormblocking system includes a blocking device integrated within a computingservice of the real communication network.
 14. The computer wormcontainment system of claim 1 wherein the computer worm blocking systemincludes multiple blocking devices and a computer worm blocking managerthat coordinates operations between the blocking devices.
 15. Thecomputer worm containment system of claim 1 wherein the computer wormdetection system and the computer worm blocking system are collocated.16. The computer worm containment system of claim 1 whereincommunications between the computer worm detection system and thecomputer worm blocking system are cryptographically authenticated. 17.The computer worm containment system of claim 1 wherein the computerworm blocking system is configured to load a signature into a contentfilter to block the computer worm.
 18. The computer worm containmentsystem of claim 1 wherein the computer worm blocking system isconfigured to block a computer worm transportation vector by using atransport level action control list.
 19. The computer worm containmentsystem of claim 1 wherein the computer worm blocking system includes aninline signature based Intrusion Detection and Protection system. 20.The computer worm containment system of claim 1 wherein the computerworm blocking system includes a router that employs Network BasedApplication Recognition to classify and apply a policy to data packets.21. The computer worm containment system of claim 1 wherein the hiddencomputer network is transparent to the real communication network. 22.The computer worm containment system of claim 1 wherein the hiddencomputer network is a virtual computer network that comprises one ormore virtual computing systems.
 23. The computer worm containment systemof claim 1 wherein being configured to replay includes being configuredto configure destination addresses of the network traffic forcompatibility with the hidden computer network.
 24. The computer wormcontainment system of claim 1 wherein the identifier characterizes theanomalous behavior.
 25. The computer worm containment system of claim 24wherein the anomalous behavior comprises an unexpected occurrence in themonitored behavior.
 26. The computer worm containment system of claim 1wherein the anomalous character of the computer worm comprises beingstatistically correlated to suspicious network traffic and not beingstatistically correlated to benign network traffic.
 27. The computerworm containment system of claim 26 wherein the suspicious networktraffic includes an unusual byte sequence.
 28. The computer wormcontainment system of claim 1 wherein the network traffic that ischaracteristic of a computer worm is configured to duplicate itself forpropagation.
 29. The computer worm containment system of claim 1 whereinthe computer worm is executable malicious code associated with thecopied network traffic.
 30. The computer worm containment system ofclaim 1 wherein the computer worm is a passive computer worm beinginformation attached to the network traffic and propagated along withthe network traffic and the copied network traffic.
 31. The computerworm containment system of claim 1 wherein the hidden computer networkcomprises one or more virtual computing systems, the one or more virtualcomputing systems being configured to detect the anomalous character ofthe computer worm.
 32. The computer worm containment system of claim 31,wherein the controller comprises a replayer that is configured toreceive the copied network traffic and to replay the plurality ofnetwork activities in the hidden computer network.
 33. The computer wormcontainment system of claim 32, wherein the replayer comprises aprotocol sequence replayer that receives data packets being part of thecopied network traffic from the traffic analysis device and controls aduplication of network operations including the plurality of networkactivities on the data packets by a first virtual computing system ofthe one or more virtual computing systems.
 34. The computer wormcontainment system of claim 32, wherein the replayer comprises aprotocol sequence replayer that receives the copied network traffic fromthe traffic analysis device and conducts the plurality of networkactivities on one or more data packets of the copied network trafficwithin a first virtual computing system of the one or more virtualcomputing systems.
 35. The computer worm containment system of claim 31,wherein each of the one or more virtual computing systems includes adifferent software profile.
 36. The computer worm containment system ofclaim 35, wherein a first virtual computing system of the one or morevirtual computing systems includes a browser as a software profile toreplay operations similar to operations by a web browser operating inthe real communication network.
 37. A method of containing a computerworm, the method comprising: detecting the computer worm by identifyingand copying network traffic within a real communication network that ischaracteristic of a computer worm, replaying the copied network trafficin accordance with a plurality of network activities within a hiddencomputer network configured to detect anomalies, monitoring behavior ofthe hidden computer network in response to the replay of the copiednetwork traffic and the plurality of network activities, and determiningan identifier of the computer worm based on anomalous behavior causedwithin the hidden computer network by the computer worm, using acontroller coupled to the hidden computer network for the determining,the identifier associated with anomalous character of the computer wormand the anomalous character of the computer worm being determined bycomparing monitored behavior in the hidden computer network withbehavior expected after conducting the plurality of network activities;providing the identifier to a computer worm blocking system of the realcommunication network; and blocking the computer worm from propagatingwithin the real communication network using the identifier.
 38. Themethod of claim 22 wherein identifying the network traffic within thereal communication network that is characteristic of the computer wormincludes using a heuristic analysis technique.
 39. The method of claim37 further comprising generating a recovery script a and providing therecovery script to the computer worm blocking system.
 40. The method ofclaim 37 wherein the identifier characterizes the anomalous behavior.41. The method of claim 40 wherein the anomalous behavior comprises anunexpected occurrence in the monitored behavior.
 42. The method of claim37 wherein the anomalous character of the computer worm comprises beingstatistically correlated to suspicious network traffic and not beingstatistically correlated to benign network traffic.
 43. The computerworm containment system of claim 42 wherein the suspicious networktraffic includes an unusual byte sequence.
 44. The method of claim 22wherein the network traffic that is characteristic of a computer worm isconfigured to duplicate itself for propagation.
 45. The method of claim37 wherein the copying of the network traffic is conducted by a trafficanalysis device that includes hardware for coupling to the realcommunication network, the traffic analysis device is configured toduplicate a portion of the network traffic traveling over the realcommunication network as the copied network traffic and provide thecopied network traffic with the characteristics associated with thecomputer worm.
 46. The method of claim 37 wherein the plurality ofnetwork activities comprises one or more computing services to beperformed in the hidden computer.
 47. The method of claim 37 wherein thecomputer worm is malicious code associated with the copied networktraffic.
 48. The method of claim 37 wherein the computer worm is apassive computer worm being information attached to the network trafficand propagated along with the network traffic and the copied networktraffic.
 49. The method of claim 37 wherein the hidden computer networkcomprises one or more virtual computing systems, the one or more virtualcomputing systems being configured to detect the anomalous character ofthe computer worm.
 50. The method of claim 49, wherein the controllercomprises a replayer that is configured to receive the copied networktraffic and to replay the plurality of network activities in the hiddencomputer network.
 51. The method of claim 50, wherein the replayercomprises a protocol sequence replayer that receives data packets beingpart of the copied network traffic from the traffic analysis device andcontrols a duplication of network operations including the plurality ofnetwork activities on the data packets by a first virtual computingsystem of the one or more virtual computing systems.
 52. The method ofclaim 50, wherein the replayer comprises a protocol sequence replayerthat receives the copied network traffic from the traffic analysisdevice and conducts the plurality of network activities on one or moredata packets of the copied network traffic within a first virtualcomputing system of the one or more virtual computing systems.
 53. Themethod of claim 49, wherein each of the one or more virtual computingsystems includes a different software profile.
 54. The method of claim53, wherein a first virtual computing system of the one or more virtualcomputing systems includes a browser as a software profile to replayoperations of a web browser operating in the real communication network.